CSIAC

Cyber Security and Information Systems Information Analysis Center

/ Journal Issues / Cyber Science & Technology at the Army Research Laboratory (ARL) / Cyber Science and Technology at the Army Research Laboratory

Cyber Science and Technology at the Army Research Laboratory

Published in Journal of Cyber Security and Information Systems
Volume: 5 Number: 1 - Cyber Science & Technology at the Army Research Laboratory (ARL)
Author: Dr. Alexander Kott
| Leave a Comment

The U.S. Army Research Laboratory (ARL) received the first salvos in the battle for cybersecurity as early as three decades ago. In terms of technology history, it was an astonishingly long time ago. Before most people ever heard of the Internet. Before there were web browsers. Long before the smartphones. Back in 1986, the laboratory withstood attacks by Markus Hess, a Soviet-sponsored hacker who had successfully penetrated dozens of U.S. military computer sites. In his bestselling book, The Cuckoo’s Egg, the pioneering U.S. cyber defender, Cliff Stoll, describes how he monitored the hacker’s networks activities in the fall of 1986: “He then tried the Army’s Ballistic Research Lab’s computers in Aberdeen, Maryland. The Milnet took only a second to connect, but BRL’s passwords defeated him: he couldn’t get through” (Stoll 1989).

Two years later, the laboratory faced the legendary Morris Worm. Around midnight on November 3, 1988, system managers at the Army’s Ballistic Research Laboratory noticed their computers slowing down to a crawl as the worm stole precious computing processing time. Fearing a foreign attack, they pulled their computers off the nationwide network predating the Internet, called ARPAnet.” (Hess, 2016)

The Army’s Ballistic Research Lab, an ancestor of ARL, was the home of the ENIAC, the world’s first electronic digital computer in 1946. It was also where the “ping” program was written in 1983, and where many other milestones of computing and networking took place. The encounters with the Soviet-sponsored hacker and with the Morris Worm were among such milestones.
Since those early beginnings, the history of ARL’s efforts in cyber defense was exciting and challenging (Fig. 1). Although ARL is the Army’s corporate laboratory that focuses on fundamental and early applied research (in the Department of Defense lingo – the research of 6.1 and early 6.2 types), the fundamental science endeavors are closely integrated with extensive operationally-oriented programs. These range from providing continuous cybersecurity defense services to multiple organizations, as well as cyber survivability and vulnerability analysis of Army systems.
A remarkable feature of ARL’s business model is the great degree of collaboration with the academic community. One example is the Cyber Collaborative Research Alliance (CRA) (see the article “Cyber Collaborative Research Alliance” in this issue) that brings together, in closely integrated collaborative projects, ARL scientists with academic researchers from dozens of U.S. universities. Cyber CRA aims to develop the fundamental science of cyber detection, risk, agility, as well as the overarching challenge of human factors in cyber security. Similarly, the Network Science Collaborative Technology Alliance (see http://www.ns-cta.org/ integrates ARL and academic research efforts towards a broad understanding of how multi-genre networks of humans and information and communications devices influence each other and undergo complex dynamic transformations.

ARL collaborations are not limited to U.S. universities. ARL is also actively engaged with international partners. ARL’s Open Campus business model (http://www.arl.army.mil/) helps such wide-ranged collaborations by providing facilities and organizational support for enabling scientists and engineers from the U.S. and abroad to come to ARL for a period of time to work in partnership with ARL scientists.

Fig. 1 ARL cyber research was always informed by real-world environment

Complementing its close ties with academic scientists, ARL research is also intertwined with practical, day-to-day operational responsibilities. Scientists are in direct communications with cyber analysts from the ARL Cybersecurity Service Provider (CSSP), a Tier II organization that defends networks of hundreds of customers belonging to all U.S. Military services, other government organizations, and even industrial entities (e.g., see the article “Information Security Continuous Monitoring (ISCM)” in this issue). ARL has a strong reputation in the area of threat analysis and forensics. The laboratory’s experts in these fields are in high demand as they support cyber-related investigations conducted by law enforcement and counter-intelligence bodies. Vulnerability and survivability assessments of systems and networks that are either already deployed or are still in acquisition process, are another major area of ARL practical, hands-on contributions to Army cybersecurity. ARL’s highly experienced teams of experts perform Cooperative Vulnerability and Penetration Assessments (blue team assessments) as well as Adversarial Assessments (red team assessments). Practical operational insights and needs obtained in operational activities are provided to scientists. They, in turn, utilize observations and data to develop new theories and models, and eventually to develop tools that transition into operational use.

Although participants of a broad cyber research community, ARL cyber scientists are largely driven by challenges unique to the ground operations of the Army. A key example is the exceptionally large attack surface of Army networks: the Army operates in environments within close proximity to allied and civilian assets and adversaries, comprising a complex cyber ecosystem. Forward-deployed network assets are vulnerable to cyber entry or physical capture and subversion of information and devices. Another distinct feature of Army cyber environments is the relatively disadvantaged assets, as the Soldiers’ computing and communication devices are energy and weight constrained, with limited bandwidth and computational capacity. The large number of nodes and fast changes of Army cyber environments are also quite distinct. Soldiers operate in a mobile environment, in complex terrain, with rapidly changing connectivity. Lastly, these networks are often interspersed with civilian, allied, and adversarial networks.

These challenges inform and focus of ARL’s research areas. One key area of research is the understanding the cyber threat. The topics in this area range from inferring influences and relations within a command and control organization from its encrypted communications, to novel uses of stylometry for identifying authors or origins of malware (Caliskan-Islam and Harang 2015), to tools and techniques for forensic analysis, and even to the study of cultural factors and personality that influence patterns of behaviors of cyber actors (Cho et al 2016).

Understanding the threats contributes to the characterization of risk experienced by a system or network. ARL’s research in risk characterization includes such topics as statistical analysis of factors affecting the anticipated frequency of successful cyber attacks and theoretical approaches to network risk computation (see the article “Risk analysis with execution-based model generation” in this issue; also (Cam 2015). It also includes applied efforts to develop better procedures for risk inspection programs; tools for continuous monitoring of risk, cyber situational awareness (Kott et al 2014), and decision support systems for cyber risk assessments.

Knowing the risks helps focus the detection efforts (Kott and Arnold 2013). The comprehensive portfolio of ARL’s research in detection of hostile cyber activities is based on close integration with practical network defense operations. It provides data and insights, and leads to the study of topics like the impact of packet loss in realistic cyber sensors on effectiveness of intrusion detection (Smith et al 2016). Other topics include special issues of detection in cyber physical systems; use of machine learning for detection methods suitable for mobile, resource-constrained devices (Harang et al 2015); cognitive models of human analyst’s process of detection (Acosta et al 2016); and synergistic approaches to human-machine intrusion detection (see the article “Synergistic Architecture for Human-Machine Intrusion Detection” in this issue).

Ultimately, whether detected or not, the hostile cyber activities must be defeated. ARL explores approaches such as active cyber defense (Marvel et al 2014), post-intrusion triage for optimized recovery (Mell and Harang 2014), and cyber maneuvers that limit lateral propagation of hostile malware (Ben-Asher et al 2016).

These research projects are supported by a network of experimental facilities and laboratories dedicated to cyber research. For example, the ARL Cybersecurity Service Provider performs double duty: it supports large-scale operational cyber defense, but also acts as a laboratory for collection of real-world data for research, and a platform for insertion and testing of novel cyber defense tools continually invented and developed by ARL scientists.

Another example of a laboratory is the virtual laboratory called CyberVAN. It is an environment for design and execution of cyber experiments using virtual machines, real Army applications, and a network simulator capable of realistic portrayal of sizeable Army units in mobile operations in complex terrain. CyberVAN is particularly well suited for experimental validation of theoretical results by academic researchers, including international collaborators.

Additionally, the Army Cyber-research and Analytics Laboratory at ARL serves as an environment that supports various industrial and federally-funded partners of ARL. Its functions range: personnel training, product integration, systems engineering, and integrated testing using real-world data. A unique CHIMERA laboratory specializes in the study of human factors and human-information interactions in cyber defense; it helps to explore the human dimension of cybersecurity.

References

  1. Acosta J, Edwards J, Shearer G, Parker T, Braun T, Marvel L. Modeling the decision processes of cybersecurity analysts to improve security assessments and defense strategies. Paper presented at: 23rd Annual National Fire Control Symposium (NFCS); 2016 Feb 8–11; Lake Buena Vista, FL.
  2. Ben-Asher N, Morris-King J, Thompson B, Glodek W. Attacker Skill, Defender Strategies, and the Effectiveness of Migration-Based Moving Target Defense in Cyber Systems. Paper presented at: 11th International Conference on Cyber Warfare and Security; 2016; Boston, MA.
  3. Caliskan-Islam A, Harang R, et al. De-anonymizing Programmers via Code Stylometry. SEC’15 Proceedings of the 24th USENIX Security Symposium; 2015; Washington, DC. Berkeley, CA: USENIX Association; c2015. p. 255-270.
  4. Cam H. Risk Assessment by Dynamic Representation of Vulnerability, Exploitation, and Impact. In: Ternovakiy, IV, Chin P. Proc. SPIE 9458 Cyber Sensing; 2015 April 20-24; Baltimore, MD. SPIE Proceedings Vol. 9548; c2015.
  5. Cho J, Cam H, Oltramari A. Effect of personality traits on trust and risk to phishing vulnerability: Modeling and analysis. 2016 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA). IEEE, 2016.
  6. Harang R, Marvel L, Parker T, Glodek W. Bandwidth Conserving DCO Signature Deployment with Signature Set Privacy. IEEE MILCOM 2015; Tampa, FL; October 2015.
  7. Hess M. The Worm that Changed the Internet. Everything CBTN. From https://blog.cbtnuggets.com/2016/02/the-worm-that-changed-the-internet/. [accessed 2016 Feb 3].
  8. Kott A, Alberts D A, Wang C. Will Cybersecurity Dictate the Outcome of Future Wars?. Computer 48.12 (2015):98-101.
  9. Kott A, Arnold C. The promises and challenges of continuous monitoring and risk scoring. IEEE Security & Privacy 11.1 (2013):90-93.
  10. Kott A, Wang C, Erbacher RF eds. 2014. Cyber Defense and Situational Awareness. New York: Springer.
  11. Marvel L, Harang RE, Glodek WJ , Parker TW, Ritchey RP. A Proposed Model for Active Computer Network Defense. IEEE MILCOM 2014; Baltimore, MD; 2014 October.
  12. Smith SC, Hammell RJ, Parker TW, and Marvel LM. A theoretical exploration of the impact of packet loss on network intrusion detection. International Journal of Networked and Distributed Computing, 4(1): 2016 Jan 1.
  13. Stoll C. The Cuckoo’s Egg. New York, NY Simon & Schuster, 1989.
  14. Mell, P., & Harang, R. E. (2014, June). Using network tainting to bound the scope of network ingress attacks. In proceedings of the Eighth International Conference on Software Security and Reliability (pp. 206-215). IEEE.

Author

Dr. Alexander Kott
Dr. Alexander Kott
Alexander Kott serves as the chief of the Network Science Division of the Army Research Laboratory headquartered in Adelphi, MD. In this position, he is responsible for fundamental research and applied development in performance and security of both tactical mobile and strategic networks. He oversees projects in network performance and security, intrusion detection, and network emulation. Between 2003 and 2008, Dr. Kott served as a Defense Advanced Research Projects Agency (DARPA) program manager responsible for a number of large-scale advanced technology research programs. His earlier positions included technical director of BBN Technologies, Cambridge, MA; director of R&D at Logica Carnegie Group, Pittsburgh, PA; and IT research department manager at AlliedSignal, Inc., Morristown, NJ. Dr. Kott received the Secretary of Defense Exceptional Public Service Award and accompanying Exceptional Public Service Medal, in October 2008. He earned his Ph.D. from the University of Pittsburgh, Pittsburgh, PA, in 1989, published over 70 technical papers, and co-authored and edited six technical books.

Reader Interactions

Leave a Comment